Proposed Regulations under Virginia's Insurance Data Security Act

We recently provided an overview of Virginia's new Insurance Data Security Act (the "Act").  Now, as required under the Act, Virginia's Bureau of Insurance has proposed regulations (the "Proposed Regs") implementing the Act.  One of the primary effects of the Proposed Regs is to distinguish between smaller licensees and the rest of the pack for purposes of specifying requirements and timing around risk assessments and information security program security measures.  Under the Proposed Regs, licensees with more than 10 employees and authorized persons are referred to as "level one" licensees, and those 10 or fewer employees and authorized persons are referred to as "level two" licensees.

For risk assessments and implementation of security measures, the Proposed Regs point level one licensees to certain NIST publications and require that they consider cybersecurity risks in their enterprise risk management processes.  For level two licenses, rather than point to NIST publications, the Proposed Regs set out specific elements and safeguards that must be addressed in risk assessments and implementation of security measures.  Significantly, the Proposed Regs set different effective dates for compliance with these provisions for level one and level two licensees.  The effective date for level one licensees is set for one year from the effective date of the Proposed Regs, while the effective date for level two licensees is set for July 1, 2022.

The Proposed Regs also provide procedures for reporting cybersecurity events to the Bureau generally, as well as options for domestic insurance companies to report certain additional details on an annual basis for cybersecurity events that do not involve access to nonpublic information (those options do not apply to domestic producers, however).

Finally, the Proposed Regs establish a notification procedure that appears to be intended to give the Bureau an opportunity to review and overrule a licensee's determination that notice to consumers is not required under the Act because there is no reasonable likelihood of identity theft or fraud.  After reviewing a licensee's basis for any such determination, the Bureau may determine that the requisite likelihood of harm does exist, and then require the licensee to notify consumers in accordance with the notification procedures in the Act.

The deadline for submitting comments or requesting a hearing in connection with the Proposed Regs is October 26, 2020.